CodeQL documentation

Log injection

ID: rb/log-injection
Kind: path-problem
Security severity: 7.8
Severity: error
Precision: medium
Tags:
   - security
   - external/cwe/cwe-117
Query suites:
   - ruby-security-extended.qls
   - ruby-security-and-quality.qls

Click to see the query in the CodeQL repository

If unsanitized user input is written to a log entry, a malicious user may able to forge new log entries.

Forgery can occur if a user provides some input with characters that are interpreted when the log output is displayed. If the log is displayed as a plain text file, then new line characters can be used by a malicious user. If the log is displayed as HTML, then arbitrary HTML may be included to spoof log entries.

Recommendation

User input should be suitably sanitized before it is logged. Suitable means of sanitization depend on how the log entries will be displayed or consumed.

If the log entries are in plain text then line breaks should be removed from user input, using String#gsub or similar. Care should also be taken that user input is clearly marked in log entries.

For log entries that will be displayed in HTML, user input should be HTML-encoded before being logged, to prevent forgery and other forms of HTML injection.

Example

In the example, a username, provided by the user, is logged using `Logger#info`.

In the first case, it is logged without any sanitization. If a malicious user provides `username=Guest%0a[INFO]+User:+Admin%0a` as a username parameter, the log entry will be split in two different lines, where the second line will be `[INFO]+User:+Admin`.

require 'logger'

class UsersController < ApplicationController
  def login
    logger = Logger.new STDOUT
    username = params[:username]

    # BAD: log message constructed with unsanitized user input
    logger.info "attempting to login user: " + username

    # ... login logic ...
  end
end

In the second example, String#gsub is used to ensure no line endings are present in the user input.

require 'logger'

class UsersController < ApplicationController
  def login
    logger = Logger.new STDOUT
    username = params[:username]

    # GOOD: log message constructed with unsanitized user input
    sanitized_username = username.gsub("\n", "")
    logger.info "attempting to login user: " + sanitized_username

    # ... login logic ...
  end
end

References

  • © GitHub, Inc.
  • Terms
  • Privacy